email virus sending tons of emails

My email is send messages even when it is not turned on. How can I stop it? My avast keeps finding this virus Win32:Agent-SPG [trj] I ran this hijackthis. Not sure if I did it right or not. After I attached the file is to big I will try to put on next message

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:55:16 PM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\WINDOWS\System32\fxredir.exe
C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Motive\BellSouthBrowser.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\Chuck Austin\Desktop\HiJackThis_v2.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\UPS\WSTD\Messages\WSTDMessaging.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [DNS7reminder] “C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.exe” -r “C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.ini”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [NA1Messenger] C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM..\Run: [MotiveReportAgent] “C:\Program Files\Common Files\Motive\McciBootStrapper.exe” /url=“-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html” /browsertype=CustomMSIE /browserpath=“C:\Program Files\Common Files\Motive\BellSouthBrowser.exe” /hidden
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [advap32] “C:\WINDOWS\TEMP\NTA432.exe”/r
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - HKUS\S-1-5-18..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User ‘Default user’)
O4 - HKUS.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (User ‘Default user’)
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\Messages\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Here is the rest

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/295f252ce5b9626a8b05/netzip/RdxIE601.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126185816889
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://152.1.131.130/activex/AMC.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://143.166.224.166/Media/visitorchat/TLIEFlash.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/UCSearch.CAB
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - file://D:\games\WebDriverFullInstall.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Windows Installer Class - {020487CC-FC04-4B1E-863F-D9801796230B} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Winkpxj - Unknown owner - C:\WINDOWS\System32\Winkpxj.exe (file missing)


End of file - 13872 bytes

You can download the two programs before starting, but please run them in order posted, including a new HJT log after the combofix.

You can attach the logs by using the additional options button on the reply page. You may have to scroll down to see the browse button.

Thanks

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically ‘C:\SDFix’) Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum .

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[]Please, never rename Combofix unless instructed.
[
]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Hewre is the sdfix log

SDFix: Version 1.155

Run by Chuck Austin on Tue 03/11/2008 at 10:11 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
werasqlp
AFK26

Path:
??\C:\WINDOWS\Cursors\werasqlp.cur
System32\Drivers\Afk26.sys

werasqlp - Deleted
AFK26 - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Session Manager\SubSystems:
Trojan File basebnp32.dll and startup entry Found!
basebnp32.dll will be removed after reboot if registry value is repaired

Rebooting

Service AFK26 - Deleted after Reboot

Session Manager\SubSystems:
ServerDll value restored to basesrv.dll
Key export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
“Windows”=%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

Removing C:\WINDOWS\system32\basebnp32.dll

Checking Files :

Trojan Files Found:

C:-13307~1 - Deleted
C:\Program Files\Helper\1205181186.dll - Deleted
C:\Program Files\WinReanimator\htmlayout.dll - Deleted
C:\Program Files\WinReanimator\pthreadVC2.dll - Deleted
C:\Program Files\WinReanimator\un.ico - Deleted
C:\Program Files\WinReanimator\unzip32.dll - Deleted
C:\Program Files\WinReanimator\WinReanimator.dll - Deleted
C:\Program Files\WinReanimator\WinReanimator.exe - Deleted
C:\Program Files\WinReanimator\data\daily.cvd - Deleted
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest - Deleted
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcm80.dll - Deleted
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcp80.dll - Deleted
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcr80.dll - Deleted
C:\WINDOWS\system32\a.exe - Deleted
C:\WINDOWS\system32\bns.dat - Deleted
C:\WINDOWS\system32\msram.dll - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\WINDOWS\system32\WLCtrl32.dll - Deleted
C:\WINDOWS\system32\zlbw.dll - Deleted
C:\WINDOWS\Temp\ieobj.dll - Deleted
C:\WINDOWS\system32\basebnp32.dll - Deleted
C:\WINDOWS\Cursors\werasqlp.cur - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\WINDOWS\system32\drivers\AFK26.sys - Deleted

Folder C:\Program Files\Helper - Removed
Folder C:\Program Files\WinReanimator - Removed
Folder C:\WINDOWS\system32\wsnpoem - Removed

Removing Temp Files

ADS Check :

                             [b]Final Check [/b]:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 22:24:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden services & system hive …

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rwtatpl]
“Type”=dword:00000001
“Start”=dword:00000001
“ErrorControl”=dword:00000000
“ImagePath”=str(2):“??\C:\WINDOWS\Cursors\rwtatpl.lid”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rwtatpl\Security]
“Security”=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,…
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
“s0”=dword:e1c93c12
“s1”=dword:165a6500
“s2”=dword:50bbcc33
“h0”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
“p0”=“C:\Program Files\Alcohol Soft\Alcohol 120"
“h0”=dword:00000000
“ujdew”=hex:38,ca,84,ec,30,a6,12,7f,65,74,b5,e0,28,be,3e,31,72,5e,79,fc,32,…
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rwtatpl]
“Type”=dword:00000001
“Start”=dword:00000001
“ErrorControl”=dword:00000000
“ImagePath”=str(2):”??\C:\WINDOWS\Cursors\rwtatpl.lid"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rwtatpl\Security]
“Security”=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,…
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
“p0”="C:\Program Files\Alcohol Soft\Alcohol 120"
“h0”=dword:00000000
“ujdew”=hex:38,ca,84,ec,30,a6,12,7f,65,74,b5,e0,28,be,3e,31,72,5e,79,fc,32,…

scanning hidden registry entries …

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\xf3\x2122\xf5w$\xb5\1]
“DisplayName”=“\t”
“DeviceDesc”=“\t”
“ProviderName”=“”
“MFG”=“\xedc”
“ReinstallString”=“2002, 6.13.10.5004”
“DeviceInstanceIds”=str(7):“”

scanning hidden files …

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 10

Remaining Services :

rest of sdfix log

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\Infogrames\Pro Bass Fishing\Pro Bass.exe”="C:\Program Files\Infogrames\Pro Bass Fishing\Pro Bass.exe:
:Disabled:Pro Bass”
“C:\Program Files\Internet Explorer\iexplore.exe”=“C:\Program Files\Internet Explorer\iexplore.exe::Disabled:Internet Explorer"
“C:\Program Files\Yahoo! Games\Yahoo! Ten Pin Championship Bowling\Yahoo Ten Pin Championship Bowling.exe”="C:\Program Files\Yahoo! Games\Yahoo! Ten Pin Championship Bowling\Yahoo Ten Pin Championship Bowling.exe:
:Disabled:Skyworks Ten Pin Championship Bowling”
“C:\Program Files\NetMeeting\conf.exe”=“C:\Program Files\NetMeeting\conf.exe::Enabled:Windowsr NetMeetingr"
“C:\Program Files\Messenger\msmsgs.exe”="C:\Program Files\Messenger\msmsgs.exe:
:Enabled:Windows Messenger”
“C:\Program Files\Valve\Steam\Steam.exe”=“C:\Program Files\Valve\Steam\Steam.exe::Disabled:Steam"
“C:\Program Files\Real\RealPlayer\realplay.exe”="C:\Program Files\Real\RealPlayer\realplay.exe:
:Disabled:RealOne Player”
“C:\Program Files\Valve\Steam\SteamApps\brattylord\counter-strike\hl.exe”=“C:\Program Files\Valve\Steam\SteamApps\brattylord\counter-strike\hl.exe::Enabled:Half-Life Launcher"
“\\Webserver\Everything\WebcamServer\WebCam2000.exe”="\\Webserver\Everything\WebcamServer\WebCam2000.exe:
:Enabled:WebCam2000.exe”
“C:\WINDOWS\SYSTEM32\rtcshare.exe”=“C:\WINDOWS\SYSTEM32\rtcshare.exe::Disabled:RTC App Sharing"
“C:\Program Files\Real\RealPlayer\realplayer.exe”="C:\Program Files\Real\RealPlayer\realplayer.exe:
:Enabled:RealOne Player”
“C:\Program Files\WildTangent\Blasterball 2\BB2.exe”=“C:\Program Files\WildTangent\Blasterball 2\BB2.exe::Disabled:BB2"
“C:\Program Files\Yahoo! Games\Blasterball 2 Remix\bb2remix.exe”="C:\Program Files\Yahoo! Games\Blasterball 2 Remix\bb2remix.exe:
:Enabled:bb2remix”
“%windir%\Network Diagnostic\xpnetdiag.exe”=“%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000"
“C:\Program Files\Yahoo! Games\Yahoo! Pin High Country Club Golf\Course1.exe”="C:\Program Files\Yahoo! Games\Yahoo! Pin High Country Club Golf\Course1.exe:
:Enabled:Skyworks Pin High Country Club Golf”
“C:\Program Files\Yahoo! Games\Alien Shooter\AlienShooter.exe”=“C:\Program Files\Yahoo! Games\Alien Shooter\AlienShooter.exe::Enabled:AlienShooter Application"
“C:\Program Files\Yahoo! Games\Final Drive Nitro\Racing.exe”="C:\Program Files\Yahoo! Games\Final Drive Nitro\Racing.exe:
:Enabled:Racing”
“C:\Program Files\Yahoo! Games\AstroPop Deluxe\WinAP.exe”=“C:\Program Files\Yahoo! Games\AstroPop Deluxe\WinAP.exe::Enabled:AstroPop Deluxe"
“C:\Program Files\Yahoo! Games\Hamsterball\Hamsterball.exe”="C:\Program Files\Yahoo! Games\Hamsterball\Hamsterball.exe:
:Enabled:Hamsterball”
“C:\Program Files\Yahoo! Games\Magic Ball\MagicBall.exe”=“C:\Program Files\Yahoo! Games\Magic Ball\MagicBall.exe::Enabled:MagicBall"
“C:\Program Files\QuickTime\QuickTimePlayer.exe”="C:\Program Files\QuickTime\QuickTimePlayer.exe:
:Enabled:QuickTime Player”
“C:\Program Files\PopCap Games\Diamond Mine Deluxe\WinDM.exe”=“C:\Program Files\PopCap Games\Diamond Mine Deluxe\WinDM.exe::Enabled:Bejeweled"
“C:\Program Files\GameHouse\Glinx\Glinx.exe”="C:\Program Files\GameHouse\Glinx\Glinx.exe:
:Enabled:Super Glinx!”
“C:\Program Files\Mozilla Firefox\firefox.exe”=“C:\Program Files\Mozilla Firefox\firefox.exe::Enabled:Firefox"
“C:\Program Files\Microsoft Office\Office10\FRONTPG.EXE”="C:\Program Files\Microsoft Office\Office10\FRONTPG.EXE:
:Enabled:Microsoft FrontPage”
“C:\Program Files\SmartFTP Client\SmartFTP.exe”=“C:\Program Files\SmartFTP Client\SmartFTP.exe::Enabled:SmartFTP Client 2.5"
“C:\WINDOWS\SYSTEM32\fxsclnt.exe”="C:\WINDOWS\SYSTEM32\fxsclnt.exe:
:Enabled:Microsoft Fax Console”
“C:\Program Files\Windows Live\Messenger\msnmsgr.exe”=“C:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger"
“C:\Program Files\Windows Live\Messenger\livecall.exe”="C:\Program Files\Windows Live\Messenger\livecall.exe:
:Enabled:Windows Live Messenger (Phone)”
“C:\Program Files\Skype\Phone\Skype.exe”="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:
:Enabled:@xpsp3res.dll,-20000”
“C:\Program Files\Windows Live\Messenger\msnmsgr.exe”=“C:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger"
“C:\Program Files\Windows Live\Messenger\livecall.exe”="C:\Program Files\Windows Live\Messenger\livecall.exe:
:Enabled:Windows Live Messenger (Phone)”

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 9 Oct 2006 4 A…H. — “C:\WINDOWS\uccspecb.sys”
Thu 19 Dec 2002 4,348 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak”
Thu 19 Dec 2002 401 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv19.bak”
Mon 2 Feb 2004 400 A.SH. — “C:\Documents and Settings\All Users\DRM\v2ks.bla.bak”
Mon 2 Feb 2004 48 A.SH. — “C:\Documents and Settings\All Users\DRM\v2ks.sec.bak”
Sun 11 Dec 2005 1,409 …H. — “C:\Documents and Settings\Kristina Austin\Local Settings\Temp\FOR1D.tmp”
Sun 11 Dec 2005 1,409 …H. — “C:\Documents and Settings\Kristina Austin\Local Settings\Temp\FOR1F.tmp”
Sat 10 Dec 2005 1,409 …H. — “C:\Documents and Settings\Kristina Austin\Local Settings\Temp\FOR4.tmp”
Sat 10 Dec 2005 1,409 …H. — “C:\Documents and Settings\Kristina Austin\Local Settings\Temp\FOR6.tmp”
Sat 10 Dec 2005 1,409 …H. — “C:\Documents and Settings\Kristina Austin\Local Settings\Temp\FOR8.tmp”
Sat 10 Dec 2005 1,409 …H. — “C:\Documents and Settings\Kristina Austin\Local Settings\Temp\FORA.tmp”
Sun 11 Dec 2005 2,776 …H. — “C:\Documents and Settings\Kristina Austin\Local Settings\Temp\ZTR1C.tmp”
Sun 11 Dec 2005 2,776 …H. — “C:\Documents and Settings\Kristina Austin\Local Settings\Temp\ZTR1E.tmp”
Sat 10 Dec 2005 2,764 …H. — “C:\Documents and Settings\Kristina Austin\Local Settings\Temp\ZTR3.tmp”
Sat 10 Dec 2005 2,764 …H. — “C:\Documents and Settings\Kristina Austin\Local Settings\Temp\ZTR5.tmp”
Sat 10 Dec 2005 2,764 …H. — “C:\Documents and Settings\Kristina Austin\Local Settings\Temp\ZTR7.tmp”
Sat 10 Dec 2005 2,764 …H. — “C:\Documents and Settings\Kristina Austin\Local Settings\Temp\ZTR9.tmp”
Wed 23 Jan 2008 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT2.tmp”
Wed 9 Nov 2005 2,677,760 …H. — “C:\Documents and Settings\Chuck Austin\Application Data\Microsoft\Templates~WRL2578.tmp”
Mon 15 Aug 2005 19,968 …H. — “C:\Documents and Settings\Chuck Austin\Application Data\Microsoft\Word~WRL3422.tmp”
Tue 24 May 2005 8 A…H. — “C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp”
Tue 24 May 2005 8 A…H. — “C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp”
Tue 24 May 2005 8 A…H. — “C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp”
Tue 24 May 2005 8 A…H. — “C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp”
Fri 2 Jun 2006 8 A…H. — “C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp”

Finished!

ComboFix 08-03-10.1 - Chuck Austin 2008-03-11 22:46:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.336 [GMT -4:00]
Running from: C:\Documents and Settings\Chuck Austin\Desktop\ComboFix.exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\winivstr.exe

----- BITS: Possible infected sites -----

hxxp://flycodecs.com
.
((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.

2008-03-11 22:00 . 2008-03-11 22:00 d-------- C:\WINDOWS\ERUNT
2008-03-11 21:57 . 2008-03-11 22:37 d-------- C:\SDFix
2008-03-11 09:48 . 2008-03-11 09:48 552 --a------ C:\WINDOWS\SYSTEM32\d3d8caps.dat
2008-03-11 09:29 . 2008-03-11 09:29 d-------- C:\Documents and Settings\Chuck Austin\Application Data\Grisoft
2008-03-11 09:29 . 2008-03-11 09:29 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-11 09:29 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-03-10 16:32 . 2008-03-10 16:32 147,456 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Adtool2.dll
2008-03-10 16:32 . 2008-03-10 16:32 75,082 --a------ C:\roeca.exe
2008-03-10 16:32 . 2008-03-10 16:32 58,368 --a------ C:\xpmdxq.exe
2008-03-09 09:00 . 2008-03-09 09:02 d-------- C:\Program Files\Windows Live
2008-03-09 09:00 . 2008-03-09 09:01 d–hsc— C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-09 09:00 . 2008-03-09 09:00 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-08 12:38 . 2008-03-09 14:32 159,744 --a------ C:\pggnf.exe
2008-03-08 12:38 . 2008-03-09 14:39 159,744 --a------ C:\caxlkn.exe
2008-03-08 12:38 . 2008-03-08 12:38 51,200 --a------ C:\udfm.exe
2008-03-08 12:38 . 2008-03-08 12:38 51,200 --a------ C:\hkldvx.exe
2008-03-08 12:38 . 2008-03-10 16:32 90 --a------ C:\WINDOWS\SYSTEM32\delself.bat
2008-03-01 10:50 . 2008-03-11 19:44 d-------- C:\Documents and Settings\Chuck Austin\Application Data\skypePM
2008-03-01 10:50 . 2008-03-01 10:50 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-01 10:45 . 2008-03-01 10:45 d-------- C:\Program Files\Skype
2008-03-01 10:45 . 2008-03-01 10:45 d-------- C:\Program Files\Common Files\Skype
2008-03-01 10:45 . 2008-03-11 21:49 d-------- C:\Documents and Settings\Chuck Austin\Application Data\Skype
2008-03-01 10:44 . 2008-03-01 10:45 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-02-29 08:21 . 2008-02-29 09:27 d-------- C:\Documents and Settings\Chuck Austin\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 00:28 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-10 22:23 --------- d-----w C:\Program Files\Burn4Free
2008-03-06 22:10 --------- d—a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-23 00:38 --------- d-----w C:\Documents and Settings\Chuck Austin\Application Data\U3
2008-01-28 20:14 --------- d-----w C:\Program Files\Common Files\Motive
2008-01-15 11:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-01-12 12:22 --------- d-----w C:\Documents and Settings\Chuck Austin\Application Data\MagicBall3
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-12-29 14:26 86,016 ----a-w C:\WINDOWS\SYSTEM32\gpscad_uninst.exe
2007-12-29 14:15 708,608 ----a-w C:\WINDOWS\SYSTEM32\CDDBUIRoxio.dll
2007-12-29 14:15 57,344 ----a-w C:\WINDOWS\uneng.exe
2007-12-29 14:15 569,344 ----a-w C:\WINDOWS\SYSTEM32\CDDBControlRoxio.dll
2007-12-29 14:15 49,152 ----a-w C:\WINDOWS\SYSTEM32\INETWH32.dll
2007-12-29 14:15 49,152 ----a-w C:\WINDOWS\SYSTEM32\cdrtc.dll
2007-12-29 14:15 45,056 ----a-w C:\WINDOWS\SYSTEM32\cdral.dll
2007-12-29 14:15 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\ROBOEX32.DLL
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mrxdav.sys
.
Files Infected - Win32.Agent.zb
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“msnmsgr”=“C:\Program Files\Windows Live\Messenger\MsnMsgr.exe” [2007-10-18 11:34 5724184]
“updateMgr”=“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” [2006-03-30 16:45 313472]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 03:56 15360]
“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2008-02-01 18:22 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“BCMSMMSG”=“BCMSMMSG.exe” [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
“monitr32”=“C:\Program Files\Canon\MultiPASS4\monitr32.exe” [2001-08-21 17:52 311296]
“fxredir”=“C:\WINDOWS\System32\fxredir.exe” [2001-08-21 17:49 65536]
“MPTBox”=“C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe” [2001-08-21 17:52 151552]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“DNS7reminder”=“C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.exe” [2004-10-30 13:38 729088]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 09:00 79224]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2006-11-03 19:20 866584]
“NA1Messenger”=“C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe” [2007-03-23 22:24 20480]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-02-16 10:54 282624]
“AdaptecDirectCD”=“C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe” [2007-12-29 10:15 684032]
“MotiveReportAgent”=“C:\Program Files\Common Files\Motive\McciBootStrapper.exe” [2004-06-25 14:14 204800]
“!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 05:25 6731312]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“DWQueuedReporting”=“C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” [2005-04-25 13:45 36040]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“RunNarrator”=“Narrator.exe” [2004-08-04 03:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56 217194]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 23:07:32 81920]
UPS WorldShip Messaging Utility.lnk - C:\UPS\WSTD\Messages\WSTDMessaging.exe [2007-01-26 16:53:38 53248]
UPS WorldShip PLD Reminder Utility.lnk - C:\UPS\WSTD\wstdPldReminder.exe [2007-01-26 16:52:20 36864]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“SpecifyDefaultButtons”= 0 (0x0)
“Btn_Search”= 0 (0x0)
“NoBandCustomize”= 0 (0x0)
“NoToolbarCustomize”= 0 (0x0)
“NoStartMenuPinnedList”= 0 (0x0)
“NoStartMenuMFUprogramsList”= 0 (0x0)
“NoUserNameInStartMenu”= 0 (0x0)
“NoStartMenuSubFolders”= 0 (0x0)
“NoCommonGroups”= 0 (0x0)
“NoPrinterTabs”= 0 (0x0)
“NoDeletePrinter”= 0 (0x0)
“NoAddPrinter”= 0 (0x0)
“NoPrinters”= 0 (0x0)
“NoFavoritesMenu”= 0 (0x0)
“NoRecentDocsNetHood”= 0 (0x0)
“NoChangeAnimation”= 0 (0x0)
“NoChangeKeyboardNavigationIndicators”= 0 (0x0)

The rest of combo fix

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UPS WorldShip PLD Reminder Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UPS WorldShip PLD Reminder Utility.lnk
backup=C:\WINDOWS\pss\UPS WorldShip PLD Reminder Utility.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^Chuck Austin^Start Menu^Programs^Startup^Dragon NaturallySpeaking.lnk]
path=C:\Documents and Settings\Chuck Austin\Start Menu\Programs\Startup\Dragon NaturallySpeaking.lnk
backup=C:\WINDOWS\pss\Dragon NaturallySpeaking.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
–a------ 2007-12-29 10:15 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 18:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
–a------ 2004-07-19 08:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
–a------ 2002-12-17 16:49 53248 C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\Money Express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OmniPage]
C:\Program Files\Caere\OmniPagePro90\opware32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
–a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
–a------ 2003-09-29 17:00 155648 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
–a------ 2006-10-31 09:50 163576 C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
–a------ 2006-06-01 07:27 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“StarWindService”=2 (0x2)
“iPodService”=3 (0x3)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\Internet Explorer\iexplore.exe”=
“C:\Program Files\NetMeeting\conf.exe”=
“C:\Program Files\Messenger\msmsgs.exe”=
“C:\Program Files\Real\RealPlayer\realplay.exe”=
“C:\WINDOWS\SYSTEM32\rtcshare.exe”=
“C:\Program Files\Real\RealPlayer\realplayer.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“C:\Program Files\QuickTime\QuickTimePlayer.exe”=
“C:\Program Files\Mozilla Firefox\firefox.exe”=
“C:\Program Files\Microsoft Office\Office10\FRONTPG.EXE”=
“C:\Program Files\SmartFTP Client\SmartFTP.exe”=
“C:\WINDOWS\SYSTEM32\fxsclnt.exe”=
“C:\Program Files\Windows Live\Messenger\msnmsgr.exe”=
“C:\Program Files\Windows Live\Messenger\livecall.exe”=
“C:\Program Files\Skype\Phone\Skype.exe”=

R2 cis1284;cis1284;C:\WINDOWS\System32\drivers\cis1284.sys [2001-06-26 21:00]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe [2005-05-04 01:04]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08 10:05]
S2 grande48;grande48;C:\WINDOWS\system32\drivers\grande48.sys
S2 YANSKOBL;YANSKOBL;C:\WINDOWS\system32\yanskobl.pup
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 13:48]
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\system32\drivers\NMSCFG.SYS [2002-05-03 12:30]
S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 12:29]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE [2005-05-03 22:42]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 14:52]
S4 Winkpxj;Winkpxj;C:\WINDOWS\System32\Winkpxj.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8148d159-a234-11db-a9fd-0007e9b310b3}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the ‘Scheduled Tasks’ folder
“2008-03-12 02:25:28 C:\WINDOWS\Tasks\MP Scheduled Scan.job”

  • C:\Program Files\Windows Defender\MpCmdRun.exe
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 22:51:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\rwtatpl]
“ImagePath”=“??\C:\WINDOWS\Cursors\rwtatpl.lid”

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\YANSKOBL]
“ImagePath”=“??\C:\WINDOWS\system32\yanskobl.pup”
.
Completion time: 2008-03-11 22:52:42
ComboFix-quarantined-files.txt 2008-03-12 02:52:08
.
2008-03-06 12:48:08 — E O F —

HJT

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:54:07 PM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\fxredir.exe
C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Motive\BellSouthBrowser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\UPS\WSTD\Messages\WSTDMessaging.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Chuck Austin\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [DNS7reminder] “C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.exe” -r “C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.ini”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [NA1Messenger] C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM..\Run: [MotiveReportAgent] “C:\Program Files\Common Files\Motive\McciBootStrapper.exe” /url=“-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html” /browsertype=CustomMSIE /browserpath=“C:\Program Files\Common Files\Motive\BellSouthBrowser.exe” /hidden
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O4 - HKUS.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (User ‘Default user’)
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\Messages\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

The last of HJT The computer is still sending emails. Thanks for your help

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/295f252ce5b9626a8b05/netzip/RdxIE601.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126185816889
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://152.1.131.130/activex/AMC.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://143.166.224.166/Media/visitorchat/TLIEFlash.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/UCSearch.CAB
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - file://D:\games\WebDriverFullInstall.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Windows Installer Class - {020487CC-FC04-4B1E-863F-D9801796230B} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe


End of file - 12693 bytes

Yes, I suppose it is. We got some but not all that time. There is one quite buried.

We’ll start with this.

  • Try to turn on the windows firewall, if you do not have a 3rd party firewall. If you are unable to turn it on, please do the following steps.

Download the Registry Search Tool from here:
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:(copy and paste is fine).

EnableFirewall

Press ‘OK’

The search will run for a while then alert you when it is finished.

Press ‘OK’ and copy the contents of the WordPad window and post in this thread.

Try to turn the firewall on.

Then go online for this, we have to stop some of the traffic. Once you get it installed, make sure avast.setup and ashwebsv.exe. and if possible block ports 110 and 25. These are the likely ports this thing is using.

  • If you are using windows firewall, please note that it doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

or

http://forum.avast.com/index.php?topic=33530.0

Now we begin.

  • Please download and use this program, we will making a couple of reg fixes before we are done.

Download and run ERUNT http://www.larshederer.homepage.t-online.de/erunt/

note: the download links are server1,server2, server3

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click “…” to browse your computer’s drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.

Next, select the backup options:

  • System registry:

  • Current user registy: .

  • Other open user registries:

Click “OK” and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.

  • You have an old version of HJT, please delete it. You can download a new one from the links below, please follow the prompts to ensure it is installed in it’s own folder.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.

  • Copy this part of these instructions into a notepad so you can refer to them while in safe mode.

Step #1

Start in Safe Mode Using the F8 method:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.

Use the arrow keys to select the Safe Mode menu item.

Press the Enter key.

Step #2

Now we will need to disable the driver for this thing. Please do the following:

Click Start, click Control Panel, click Performance and Maintenance, and then click System.

(Please note, that depending on how you have your computer set up, the path to the system icon may be start, control panel, system.)

On the Hardware tab, click Device Manager.

Click the View menu and if there is no checkmark in front of Show hidden devices then click on it to activate it.

Scroll down the list of devices and double-click Non-Plug and Play Drivers.

Locate rwtatpl and right click it and then click the Properties option.

Click the Driver tab.

In the Startup section select Disable from the drop-down list.

Click General tab.

In the Device Usage drop-down list select Do not use this device (disable).

Click the Ok button and you should be prompted to reboot. You can reboot normally.

  • Please follow all previous instructions regarding security programs.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

Killall::

File::
C:\roeca.exe
C:\WINDOWS\SYSTEM32\DRIVERS\Adtool2.dll
C:\xpmdxq.exe
C:\pggnf.exe
C:\caxlkn.exe
C:\udfm.exe
C:\hkldvx.exe
C:\WINDOWS\SYSTEM32\delself.bat

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

  • Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\System32\Winkpxj.exe
C:\WINDOWS\system32\yanskobl.pup
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\Cursors\rwtatpl.lid

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Please post back whether you where able to preform the steps in safe mode, your firewall status, the virustotal results and the combofix log.

Thanks

BTW you can attach the logs by using the additional options button on the reply page, you may have to scroll down a bit to see the browse button. :wink:

Good morning got to step # 2 but could not see rwtatpl . Show hidden devices was checked.
I didn’t know if I should skip that step or not so I stoped.

Thanks

Good morning to you too. though it’s night here.

Okay, it’s really hidden. Just carry on. We’ll deal with that in a different way.

Post the logs/results. I’ll get to them as soon as I get up (don’t sleep much) :wink:

Thanks I will have a good rest

In the virustotal.com everytime I uploaded it said 0 bytes size received / Se ha recibido un archivo vacio
I looked in the files to see if I could locate them and the only one I could verified that it exsised was the C:\WINDOWS\Cursors\rwtatpl.lid file don’t know if this helps.

Thanks

Your firewall is blocking the access to that file, or the file is in use (virus activated) and can’t be send… Seems you’re infected and I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

Hi I’m new to this forum stuff. I wass getting help from oldman do you guys work together I don’t want to get anyone upset. But I really would like to fix this problem if possible. How does that work?

Some malware is protected from uploading resulting in this 0 byte size, I have seen it in the forums before. So when oldman gets on the case again he may be able to catch what is stopping it being uploaded.

Normally it is a collaboration as the internet never sleeps, but the problem here is the tools that are being used there are only a few that are familiar with them, reading their logs, etc. it is therefore usual to stick with the same person helping, but not exclusive.

Having run combofix it is entirely possible that what may have been protecting the file you tried to upload to virustotal. Whilst I’m not entirely familiar with the combofix log, there have been a number of deletions, so I would suggest trying to upload that file (rwtatpl.lid) again if it still exists for scanning. There is actually reference to rwtatpl.lid in the combofix log, though I don’t fully understand what it means.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\rwtatpl] "ImagePath"="\??\C:\WINDOWS\Cursors\rwtatpl.lid"

ccaj:

" I wass getting help from oldman do you guys work together I don't want to get anyone upset. But I really would like to fix this problem if possible. "
ccaj it probably would be wise to wait for oldman before doing anything , as he should be able to analyse your problem and help you . He has prepared a lot of tests for you so far , it is a delicate situation . If possible it would be best to wait till oldman gets on the case again .

Thanks for all your input I’ll wait for oldman to return from his slumber.